?
Solved

Problem after rename of a domain controller

Posted on 2010-08-18
12
Medium Priority
?
1,575 Views
Last Modified: 2012-05-10
I've decommissioned and domain controller (dc5) and then after a day renamed another domain controller to dc5.

Picking up problems on one of the root dc's where it keeps the serverreference attribute as the old dc's name. Thought this would be easy...

dcdiag throwing machine account errors. have already done a dcdiag /fixmachineaccount

* LIB-DC5-JHB Server Reference is incorrect! Should be CN=LIB-DC5-JHB1,OU=Domain Controllers,DC=something,DC=fin-za,DC=net, and is CN=LIB-DC5-JHB,OU=Domain Controllers,DC=something,DC=fin-za,DC=net.

ldap_search_sW failed with 2: The system cannot find the file specified.

......................... LIB-DC5-JHB failed test MachineAccount

When I go into adsiedit on the root dc and try and change the serverreference attribute it defaults back to the old name.
0
Comment
Question by:Nelesh_N
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 11

Expert Comment

by:Coast-IT
ID: 33462481
Its never as easy as that, although it should be...

here is a great article on achieving what you need ;

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/72d5eda0-7185-4f97-a1cf-7952c12dc786
0
 
LVL 70

Expert Comment

by:KCTS
ID: 33462815
Did you actually demote the old DC5 before it was removed?
If so then a simple DCDIAG /fix may solve the problem
0
 
LVL 1

Author Comment

by:Nelesh_N
ID: 33463571
Yes I did do a demotion to a member server. Will try.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:Nelesh_N
ID: 33463686
nope doesnt work.
0
 
LVL 1

Author Comment

by:Nelesh_N
ID: 33464416
only one of the three root dc's that I have is picking up this problem.
0
 
LVL 11

Expert Comment

by:Coast-IT
ID: 33469701
What if you change the name to something else?

Then possibly change it back?

Strange one this.
0
 
LVL 3

Expert Comment

by:pmaribeiro
ID: 33473414
This server had FSMO roles and did you moved them?
0
 
LVL 1

Author Comment

by:Nelesh_N
ID: 33474450
Yes they were moved...
0
 
LVL 3

Expert Comment

by:pmaribeiro
ID: 33474857
You need to go to AD sites and services, enter in the site where DC5 was and remove all entries about him.
Then do the same on the DNS and AD users and computers on the domain controllers container.

I would suggest to give a different name, because sometimes conflicts may ocur with some objects that may have be with the ID of the demoted DC.

So if you can try to change it.
0
 
LVL 1

Author Comment

by:Nelesh_N
ID: 33496096
So the problem is that there was a lib-dc5-jhb already in the environment, then a lib-dc5-jhb1 was introduced. The second machine is a hardware replacement for lib-dc5-jhb. I then did the dcpromo to remove lib-dc5-jhb - all went successfully. Then I renamed lib-dc5-jhb1 to lib-dc5-jhb. This is where the problem lies, I dont think AD likes the reuse of machine names. If I do a ntdsutil I dont see any refernce to lib-dc5-jhb1 but if I go to sites and services on another dc which happens to hold fsmo roles and is in the root. Go to sites and services, if I go to properties on lib-dc5-jhb I still see the server name as lib-dc5-jhb1. If I try to change the serverreference in adsiedit it defaults back to lib-dc5-jhb1. Why it must be pulling this info from somewhere, I also looked at DNS and cannot find any reference to lib-dc5-jhb1...
0
 
LVL 1

Accepted Solution

by:
Nelesh_N earned 0 total points
ID: 33624216
Ended up removing LIB-DC5-JHB... fixed my problem will reintroduce as another dc.
0
 
LVL 3

Expert Comment

by:pmaribeiro
ID: 33624860
Its the best solution because even if you remove all entries as stated there the possibility the remainings of the old SID lying arround and will create enough problems with the same name. If seen this too often and normally the best solution is to rename to a new name. Because the time consuming to solve AD issues sometimes is extremely high.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question